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WHAT IS CLAIMED IS: 

1 1 . A system for maintaining security in a distributed computing 

2 environment, comprising: 

3 a policy manager for managing a security policy; and 

4 an application guard for managing access to securable components 

5 " as specified by the security policy. 

1 2. The system of claim 1, wherein said policy manager comprises a 

2 management station for constructing and editing the security policy. 

1 3. The system of claim 2, wherein said policy manager ftuther 

2 comprises a distributor for distributing the security policy to a client. 

1 4. The system of claim 2, wherein said policy manager further 

2 comprises a distributor for distributing a customized local policy based 

3 on the security policy to a client. 

1 5. The system of claim 4, wherein said policy manager fuither 

2 comprises a logger for recording and tracking authorization events that 

3 occur through the application guard. 
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6. The system of claim 4, wherein the policy manager further 
comprises a database management system for maintaining the security 
policy. 

7. The system of claim 4, wherein the customized local policy is 
optimized. 

8. the system of claim 1, wherein said securable components £ire 
selected from the group consisting of: at least one application, a function 
within an apphcation, a procedure within an application, a data 
structure within an application, a database object referenced by an 
application, or a file system object referenced by an application. 

9. The system of claim 1, wherein said system is scalable by further 
comprising a plurality of clients, said policy manager further managing 
and distributing a customized local policy to each client, and at least one 
additional application guard located on each client for managing access 
to the securable components as specified by each customized local 
policy. 
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1 10. The system of claim 1, wherein said application guard includes an 

2 application guard interface coupled to an application for requesting 

3 access to the securable components, and at least one authorization 

4 engine for evaluating requests from the application guard interface as 

5 specified by a customized local policy based on the security policy. 

1 11. the system of claim 10, wherein said application guard interface is 

2 located on a client, and said at least one authorization engine and said 

3 customized local policy are located on a client server. 

1 12. The system of claim 1, wherein the security policy is defined by a 

2 policy language to grant or deny access to the securable components for 

3 a particular user. 

1 13. The system of claim 1 further comprising a policy loader for bulk 

2 loading the security policy onto the system. 

1 14. The system of claim 1, v/herein said policy manager includes a set 

2 of menu options to manage and distribute the security policy. 
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1 1 5. The system of claim 14, wherein said set of menu options include: 

2 navigate tree, analyze policy, edit policy, distribute policy, and view audit 

3 log. 

1 16. The system of claim 1, wherein the application guard further 

2 allows for additional customized code to process and evaluate 

3 authorization requests based on the additional customized code. 

1 17. The system of claim 1 , wherein the policy manager further includes 

2 a policy manager application guard for managing access to the policy 

3 manager as specified by a local administrative policy. 

y 

1 18. A system for controlling user access in a distributed computing 

2 environment, comprising: 

3 a global policy specifying access privileges of the user to securable 

4 components; 

5 a policy manager located on a server for managing and distributing 

6 a local client policy based on the global policy to a client, and 

7 an application guard located on the client for managing access to 

8 the securable components as specified by the local client 

9 policy. 
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19. The system of claim 18 further comprising at least one additional 
client, said policy manager further managing and distributing a 
customized local policy based on the global policy to each additional 
client, and at least one additional application guard located on each 
additional client for managing access to the securable components as 
specified by the customized local policy. 

20. the system of claim 18, wherein said policy manager comprises: 
a management station for constructing and editing the global 

policy; and 

a distributor for distributing the local policy to the client. 

21. The system of claim 20, wherein said policy manager further 
comprises a database management system for maintaining the global 
policy. 

22. The system of claim 18, wherein said policy manager further 
comprises a logger for recording and tracking authorization events that 
occur through the application guard. 



39 



23. The system of claim 18, wherein said securable components are 
selected from the group consisting of: at least one application, a function 
within an application, a procedure within an application, a data 
structure within an application, a database object referenced by an, 
application, or a file system object referenced by an application. 

24. The system of claim 1 8, wherein the global poUcy is defined by a 
policy language to grant or deny access to the securable components for 
a particular user. ■ 

25. The system of claim 18, wherein said system is scalable by further 
comprising a plurality of clients, said policy manager further managing 
and distributing a customized local policy to each client, and at least one 
additional application guard located on each client for managing access 
to the securable components as specified by each customized local 
policy. 

26. The system of claim 18, wherein said application guard includes 
an application guard interface coupled to an application for requesting 
access to the securable components, and at least one authorization 
engine for evaluating requests from tlie application guard interface as 
specified by the local client policy. 
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1 27. The system of claim 18 further comprising a policy bulk loader for 

2 bulk loading the global policy onto the system. 

1 28. The system of claim 18, wherein the local client policy is optimized. 

1 29. The system of claim 18, wherein the application guard further 

2 aUowsifor additional customized code to process and evaluate 

3 authorization requests based on the additional customized code. 

1 30. The system of claim 18, wherein the policy manager further 

2 includes a policy manager application guard for managing access to the 

3 policy manager as specified by a local administrative policy. 



131. A system for authorization that provides access to securable 

2 components for a user, comprising: 

3 a policy specifying access privileges of the user to the securable 

4 components; 

5 an application guard; and 

6 a processor coupled to said system, said processor executing said 

7 application guard to manage access to the securable 

8 components. 
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1 32 . The system of claim 3 1 further including an audit log for recording 

2 and tracking each authorization event that occurs though the application 

3 guard. 



1 33. The system of claim 31, wherein said securable components are 

2 selected from the group consisting of: at least one application, a function 

3 within an application, a procedure within an application, a data 

4 structiiie within an application, a database object referenced by an 

5 application, or a file system object referenced by an application. 

1 34. The system of claim 31, wherein said application guard comprises 

2 an application guard interface connected to an application for managing 

3 access to the securable components in said application. 

1 35. The system of claim 31, wherein the application guard further. 

2 allows for additional customized code to process and evaluate 

3 authorization requests based on the additional customized code. 

1 36. The system of claim 31, wherein said application guard includes 

2 an application guard interface coupled to an application for requesting 

3 access to the securable components, and at least one authorization 

4 engine for evaluating requests from the application guard interface as 

5 specified by a customized local policy based on the policy. 
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1 37. The system of claim 36, wherein said application guard interface is 

2 located on a client, and said at least one authorization engine and said 

3 customized local policy are located on a client server. 

1 38. A system for managing security in a distributed computing 

2 environment, comprising: 

3 a policy manager; and 

4 a processor coupled to said system, said processor executing said 
^ policy manager to manage and distribute a customized local 
6 policy based on a global policy to a client. 

1 39. The system of claim 38, wherein said policy manager comprises a 

2 management station for constructing and editing the global policy. 

1 40. The system of claim 39, v/herein said policy manager further 

2 comprises a distributor for distributing the customized local policy to the 

3 client. 

1 41. The system of claim 38, wherein said policy manager further 

2 comprises a logger for recording and tracking authorization events that 

3 are received from the client. 
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1 42. The system of claim 38, wherein said global policy specifies access 

2 privileges of at least one user to securable components. 

1 43. The system of claim 38, wherein the policy manager comprises a 

2 database management system for maintaining the global policy. 

1 44. The system of claim 38, wherein the global policy is defined by a 

2 policy language to grant or deny access to securable components for a 

3 particular user. 

1 45. The system of claim 38, wherein said policy manager includes a set 

2 of menu options to manage and distribute the customized local policy. 

1 46. The system of claim 38, wherein the customized local policy is 

r 

2 optimized. 

1 47. The system of claim 38, v/herein the policy manager further 

2 includes a policy manager application guard for managing access to the 

3 policy manager as specified by a local administrative policy. 
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1 48. A method for maintaining security in a distributed computing 

2 environment, comprising the steps of: 

3 managing a policy using a policy manager by specifying access 

4 privileges of a user to securable components; and 

5 distributing the policy to a client having an application guard, 

6 whereby the application guard manages access to the 
" securable compo 

1 49. The method of claim 48, further including the step of recording 

2 authorization events that occur through the application guard after 

3 distributing the policy. 

1 50. The method of claim 48, wherein the securable components are 

2 selected from the group consisting of: at least one appUcation, a function 

3 within an application, a procedure within an application, a data 

4 structure within an application, a database object referenced by an 

5 application, or a file system object referenced by an application. 
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1 51. A method for maintaining security on a client in a distributed 

2 computing environment, comprising the steps of: 

3 constructing and issuing an authorization request for a user to 

4 access to securable components located on the client using 

5 an application guard; 

6 evaluating the authorization request using the application guard to 

7 a* "determine if the authorization request is valid or invalid^ and 

8 allowing access to the user via the application guard if the 

^ evaluated authorization request was valid, and denying 

■ access to the user via the application guard if the 

^ ^ " authori^tion request was invalid. 

1 52. The method of claim 5 1 , after evaluating the authoiization request, 

2 further including the step of recording the authorization request in an 

3 audit log. 
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1 53. A computer-readable medium comprising program instructions for 

2 maintaining security in a distributed computing environment by 

3 performing the steps of: 

4 managing a policy using a policy manager by specifying access 
^ privileges of a user to securable components; 

distributing the policy using the policy manager to a cUent having 
,ii application guard, whereby the application guard - 

manages access to the securable components as specified by 



9 the policy; and 



10 



executing said policy manager with a processor to manage and 



11' distribute the policy. 
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1 54. A computer-readable medium comprising program instructions for 

2 maintaining security on a client in a distributed computing environment 

3 by performing the steps of: 

4 constructing and issuing an authorization request for a user to 

5 access to securable components located on the client using 

6 an application guard; 

7 ev^uating the authorization request using the application gxiard to 

8 determine if the authorization request is valid or invalid; 

9 allowing access to the user via the application guard if the 
evaluated authorization request was valid, and denying 

^ ^ ' access to the user via the application guard if the 

^2 authomation request was invalid; and 

13 executing said application guard with a processor to automatically 

f 

maintain security on the client. 
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1 55. A system for maintaining security in a distributed computing 

2 environment, comprising: 

3 means for managing a policy using a policy manager by specifying 

4 access privileges of a user to securable components; 

5 means for distributing the policy using the policy manager to a 

^ client having an application guard, whereby the application 

7 , M^guard manages access to the securable components as ^ 

8 specified by the policy; and 

9 means for executing the poUcy manager to manage and distribute 
10 the policy. 
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56. A system for maintaining security on a client in a distributed 
computing environment, comprising: 

means for constructing and issuing an authorization request for a 
user to access to securable components located on the client 
using an application guard; 
means for evaluating the authorization request using the 
. , ^ .^^ guard to determine if the authorization request is 

valid or invalid; 

means for allowing access to the user via the application guard if 
the evaluated authorization request was valid, and denying 
access to the user via the application guard if the 
autliorization request was invalid; and 

means for executing said application guard to automatically 
maintain security on the client. 
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